Interview: Janet Hughes, Gov.uk Verify programme director, GDS

The future of identity assurance

Once Verify is live, the Government Digital Service (GDS) will begin looking at how to make the system available more broadly.

The goal is for Verify to become the standard way for citizens to prove their identity, not just in central government, but for other services as well.

“The vision is that people think about having an identity account in the same way they have a bank account, and being able to use it to access all sorts of services, such as opening a bank account, interacting with their local authority, checking their health records, booking a flight and getting a new mobile phone contract,” says Hughes.

She is unable to predict when it “will reach critical mass”, but says the service may get there by the end of this Parliament.

“We’re not just trying to set up a service here, we’re trying to establish a new market for identity services in the UK”

Janet Hughes, GDS

“There’s a lot of incentive. The lack of trust online is one of the main barriers in the next phase of development in commerce and online interaction. There are so many things you still need to do face-to-face or by post because it’s not been possible to establish online enough confidence that you are who you say you are,” she says.

“We’re at a tipping point – we’ve shown it can be done and it can work, so the development on that will be very rapid.”

The service still has a long way to go, however, and the project has so far proved to be more complex than expected.

The complexity of identity

The original plan was to have the first operational services up and running in spring 2013. Then, in April 2014, GDS said it expected to have 600,000 users by the end of the year. In July 2015, the target was revised to 700,000 users by November 2015.

The system works by having users register with one of eight approved third-party identity providers, such as Experian and the Post Office, which perform the identity checks required to verify an individual user. Once verified, the company confirms electronically to the GDS that the individual is allowed access.

Some of the criticism around Verify has focused on the datasets used by those companies when trying to confirm a user’s identity, raising doubts that, in some cases, they are sufficient to achieve the necessary levels of assurance.

Farmers logging in to claim rural subsidy payments is one such example. Farmers who had never had a mortgage or credit card were not referenced by Experian’s credit check databases, which caused some problems.

To address those problems, Hughes and her team have been working with the market and providers to make sure other options are available.

“It’s a huge challenge,” she says. “We’re not just trying to set up a service here, we’re trying to establish a new market for identity services in the UK. When we started our public research, the providers were relying entirely on a very limited range of data sources and methods.”

50 types of data sources

Now, if users don’t hold a UK passport or driving licence, they can use any identity document from more than 200 countries. There are other options too.

Responding to the criticism and working with the market, GDS has found a way to let people use their mobile phone contract as part of the identity evidence.

“Now there are 50 different types of evidence and data sources because of the work we did to set the new framework and create incentives for providers to introduce more things, but also the work we’ve done in the secondary market,” she says.

“We’ve got lots more of that to come after we go live. It takes time to get to the start line in a service like this, but we will continue to improve and get the identity providers on board.”

Collaboration is key

Hughes is well aware of the challenges that come with creating something new, especially something that involves huge amounts of collaboration, not just within her team, but with government departments, providers and the public.

But she says it’s been easier to take a collaborative approach with Verify from the beginning, “because we always understood that there were people in departments who were experts in identity assurance, and we always understood that we didn’t know everything about it”.

“It’s about striking the right balance between acquiring expertise and taking the lead in terms of delivering a cross-government service,” she says.

“We need to be at the forefront of the discussion with the market and privacy groups, but we need to be very clear about what value we’re bringing to the table and show empathy and listen carefully to our colleagues who have a much better understanding than we do of their own department’s services and the needs of users of those services.”

From psychology to digital

It’s abundantly clear that Hughes thoroughly enjoys her job and believes in the work the team is doing. She sees the project as her quest, and always wants to “find fellow travellers” to come on the quest with her.

Her background may perhaps have something to do with her passion for people. Having studied psychology and English at university, becoming programme director at GDS was not always her life goal. After graduating, she began her career not in psychology, but as a clerk in the House of Commons.

“What I got from that was a breath of understanding of how government works, how Parliament works and how public policy works. And I developed a real passion for transparency and openness and an understanding of politics,” she says.

While I was [at the London Assembly] I got really fascinated by technology and its potential to transform the state

But it wasn’t until she began working for the London Assembly, where she spent 11 years – the last five as head of scrutiny and investigations – that she was bitten by the digital bug. “While I was there I got really fascinated by technology and its potential to transform the state,” says Hughes.

She was then asked to advise on a government panel on open data and transparency. By the time GDS was set up in 2012, she had decided that was the place for her.

After working on the government’s Gov.uk website, which went live in 2012, Hughes was looking for another challenge. She came across the identity assurance programme, which she describes as a programme that, at the time, “was in the basement and a very different part of GDS”.

“It was a very different beast, and they were doing something which a lot of people thought had practically no chance of success, but seemed really fascinating due to the breadth of issues,” she says.

In summer 2015, Hughes ended up as the programme director, which she says has deepened her understanding of what it’s like working in an agile environment and “genuinely having a multidisciplinary team”. 

“It’s a really interesting learning curve, and very fascinating to me, as someone who trained to be a psychologist, to see how people from such different backgrounds work together and try to discover how to get them to really enjoy that.”

Developing the service

With the complexities of Verify, Hughes’ psychology background may be exactly what the programme needs.

While it’s important to have a lot of diversity to make sure as many people as possible can use the service, it also needs to be straightforward and simple, to avoid alienating people trying to use the system.

Verify has held 91 user research sessions to pin down the best way to do this, but Hughes says “there is still plenty of opportunity to carry on refining that, and it will be an ongoing quest to get that balance right”.

For now, getting the system live is the main focus, but Verify has, from the very beginning, been designed so that it would work for both public and private sector.

GDS has already done a pilot in Warwickshire, joining up the local authority, Verify and a service from the Department for Work and Pensions to allow people to apply for a blue badge online.

“After go-live we will start looking much more actively at how to make verify available more broadly,” she says.

Built to be secure

Recently, Computer Weekly reported that Liverpool Clinical Commissioning Group is working with the Health and Social Care Information Centre (HSCIC) and GDS to look at the potential of extending Verify to healthcare.

However, at the time, Rob Shaw, director of operations at the HSCIC, said there were “certain transactions where Verify is not quite there in terms of the level of security we’ll need for health services”, adding that it was likely the NHS would “end up with a hybrid of different things”.  

Hughes says the project is currently exploring thoroughly what the health service needs to enable it to use Verify, because “every time you look at a different sector or department, it throws up a whole other range of different things to learn and understand”.

In health, she says, there are particular risks that need to be mitigated. They aren’t specifically to do with identity assurance, but rather about how the service is designed.

“So the question isn’t ‘Is Verify secure enough?’ It’s ‘What else do you have to do apart from identity assurance to make sure our services are secure?’,” she says.

Security has been a key factor in the design of the service, and Hughes and her team are constantly working to understand how the market is developing, to make sure they put in place the latest technologies and approaches to security.

Bold, brave and positive

To Hughes, it’s important to always be transparent, both internally and externally, and tackle any problems that occur head-on.

“If there is a problem, discuss it. Because you can always fix it by talking about it, but if you let it fester, it’ll eat you up,” she says. Her tagline, which has become somewhat famous in GDS circles, is: Be bold, be open and be positive.

“I don’t reckon there’s anything I’ve come across in the past few years that can’t be solved by one of those things,” she concludes.